OpenSSL, OpenSSH and NTP to receive support from Core Infrastructure Initiative (opens in new tab)

(linuxfoundation.org)

181 pointsryanweal12y ago90 comments

"Network Time Protocol, OpenSSH and OpenSSL first projects to receive support; Open Crypto Audit Project to conduct security audit of OpenSSL"

90 comments

54 comments · 11 top-level

kyledrake12y ago· 24 in thread

Just give the money to the OpenBSD team. We saw with OpenSSH that they have a proven track record taking crappy security software and fixing it. Why does everyone have this aversion to giving the OpenBSD team the funding they deserve?

And "Theo's a dick" doesn't qualify as a valid reason to not fund real security development. For the work those guys have done improving the security infrastructure of every operating system (they lead, others followed), the entire team deserves to be well-off dicks. It's to me the ultimate highlight of OSS's funding problem. People make millions/billions of dollars off of this software, and nobody ever contributes any of that back to the shoulders they stood on to make that happen.

tptacek12y ago

OpenBSD is not auditing OpenSSL. They're substantially rewriting it. The net effect is hopefully similar, but it's a very different path to get there. Further, the refactor might introduce new bugs, and it can easily miss subtle bugs (we're talking about cryptography, which is not as easy to spot or to fix "accidentally" [which is part of OpenBSD's M.O.] as memory corruption).

"Theo's a dick" has nothing to do with why funds are being applied to audit and not to "just have OpenBSD rewrite everything".

marcosdumay12y ago

A security audit may also miss subtle bugs, and the proposed corrections may introduce new bugs.

A rewrite has the benefit that it will lead to manageable code, instead of the current mess. Clean code has less places where subtle bug can hide, that does not change just because you are doing cryptography.

Anyway, they should send money to both. Both are important, and those companies make so much money using free software, they shouldn't be choosing the projects with that fine granularity. The problem is that they won't, and as much as kyledrake does not like the answer, it's because of Theo. Yes, it's a stupid decision, but it does not make it less real.

1 more reply

sigzero12y ago

I would trust Theo's team over the OpenSSL team any day of the week.

2 more replies

InclinedPlane12y ago

I get what you're saying. But I think this is a case where simplification and rewrites is going to greatly enhance the ability to effectively audit the code. I will trust LibreSSL audits about a hojillion times more than OpenSSL audits at this point, just down to code complexity and surface area alone.

And there is no question about it they absolutely will introduce new bugs. But hopefully the increased scrutiny and easier to read code means that they are less likely to have extremely bad bugs latent in the codebase for years without anyone noticing, as has been the case with OpenSSL.

simula6712y ago

From Beck's talk[1] they are not reviewing the cryptography code, merely cleaning up the programming. They admit they don't yet have cryptography experts reviewing if the algorithms/implementations are doing what they are supposed to be doing and that they are in fact secure.

[1] http://www.youtube.com/watch?v=GnBbhXBDmwU

talideon12y ago

True, but many of the things OpenBSD are doing to their fork are making automated capture of errors easier. Their work getting rid of the layers of crud around the OS memory allocator alone mean that tools like valgrind and other profilers now have a fighting chance of actually being useful.

gaadd3312y ago

Isn't there two sets of money going towards OpenSSL? One set is for hiring 2 full time developers (which seems like the money that should go towards OpenBSD) and then the other set is going to OCAP for a security audit.

tedivm12y ago

Personally I think two healthy forks of OpenSSL is far, far better than one. I also think that the OpenBSD team is going to take some time before it reaches it's goals, and more importantly before it's in a stable enough point where people can start working on porting their version to other platforms.

I don't think it makes sense to leave OpenSSL to wither while that happens, especially since it's an actively used product.

That being said I'm far, far more confident in the OpenBSD team than I am the OpenSSL one.

eliteraspberrie12y ago

Why does everyone have this aversion to giving the OpenBSD team the funding they deserve?

One reason may be that donations to the OpenBSD Foundation are not tax-deductible in the US.

Touche12y ago

Actually if I'm giving someone a donation, charity, then whether they are or are not a dick is a perfectly valid part of the decision. And to me how you run a project is as important as the quality of the final result.

pessimizer12y ago

You don't have to have a reason to not donate to something, so the color of their shoes is also a perfectly valid part of the decision. The important question is whether it's a good reason. If you rank the style of his speech as a more important issue than having secure software (unless you think that the style of speech will negatively effect the software), I'd wonder how a single person's personality got so high on your list of priorities.

It sounds a bit like voting for a president because he's the guy you feel you'd most enjoy having a beer with: short-sighted.

1 more reply

Florin_Andrei12y ago

> And "Theo's a dick" doesn't qualify as a valid reason to not fund real security development.

Yeah, but people who give money usually tend to see that as a valid reason.

davidgerard12y ago

I think you mean "excuse". Anyone who's ever attempted to sell anything will tell you of customers who say "I would buy it if only you turned it upside-down and painted it blue" but don't cough up when you do. Similarly, every single person reading this uses SSH daily but will go "ah, uh, but Theo's a dick!" as their excuse not to cough up.

1 more reply

angersock12y ago

Seems to have worked out for Torvalds and good chunks of the Web ecosystem.

1 more reply

dfc12y ago

Theo's "outspokeness" is believed to be the reason that DARPA canceled a million dollar development grant.

https://en.wikipedia.org/wiki/Theo_de_Raadt#DARPA_funding_ca...

1 more reply

mhurron12y ago

> Just give the money to the OpenBSD team

Unless OpenBSD decides to change, that is the way to fund OpenSSH. Currently you don't get to decide how your donations are spent by them, OpenSSH isn't it's own spinoff funded group.

avar12y ago

Is it possible to give them more granular donations? I want to support OpenSSH and LibreSSL, but I don't cae about OpenBSD.

The reason I don't donate to them is that I feel like most of my donation will be going towards something I don't care about.

protomyth12y ago

Its one and the same, plus if you care about LibreSSL and OpenSSH than you need to care about OpenBSD because of the assumptions that code makes and what needs to added to the ported code to make it safe on other platforms.

1 more reply

rodgerd12y ago

> Why does everyone have this aversion to giving the OpenBSD team the funding they deserve?

Given their work is avowdly OpenBSD-only and portability has to be added on in the case of e.g. OpenSSH it would seem a dead-end for anyone who wants broader platform support.

axman612y ago

They've explicitly said that they are seeking to reduce the surface area for bugs by initially removing cross platform compatibility, and then exposing what primitives the OS needs to supply to make it possible to port. This seems like a much much saner approach to me than trying to work through every quirk in every operating system known to man in the one project itself. Any OS that doesn't implement any of the primitives can legally go and take OpenBSD's implementation and use it if necessary (and hopefully contribute money or code back to them).

I'm not sure why you brought up OpenSSH, since it's by far the most widely used SSh implementation in the world...

1 more reply

protomyth12y ago

Strange characterization given OpenSSH is everywhere so it isn't a dead-end.

lomnakkus12y ago

Maybe I'm misremembering, but SSH wasn't crappy, it was just proprietary. (I'm no fan of proprietary software, but let's at least be honest here.)

protomyth12y ago

you are correct, http://en.wikipedia.org/wiki/OpenSSH

"OpenSSH was created by the OpenBSD team as an alternative to the original SSH software by Tatu Ylönen, which is now proprietary software. Although source code is available for the original SSH, various restrictions are imposed on its use and distribution. OpenSSH was created as a fork of Björn Grönvall's OSSH that itself was a fork of Tatu Ylönen's original free SSH 1.2.12 release, which was the last one having a license suitable for forking."

jmdn2812y ago

That reminds me of TrueCrypt and the TrueCrypt Audit Project.

mjibson12y ago· 4 in thread

It is possible the OpenSSH funding, since it is done through the OpenBSD Foundation, could, at the Foundation's discretion, go toward LibreSSL, since it's the same group.

Alupis12y ago

No it's not. Libressl is a different team; one that feels a fork was more appropriate than just fixing the problems in openssl.

IMHO, libressl is a mistake. It's splitting resources over something that needs to be as air-tight as possible. I'd much rather have 1 really really good ssl library that everyone uses instead of 2 so-so ones.

clarry12y ago

> No it's not. Libressl is a different team

OpenSSH and LibreSSL are both a part of OpenBSD. So when you donate to the OpenBSD Foundation, you are very much donating to one project.

> one that feels a fork was more appropriate than just fixing the problems in openssl

You can't start fixing things in other peoples' source tree just like that. I'm pretty sure nothing useful would've come out of it if the OpenBSD folk had sent half a million lines in diffs to OpenSSL; http://www.openbsd.org/papers/bsdcan14-libressl/mgp00026.htm...

2 more replies

forgottenpass12y ago

I'd much rather have 1 really really good ssl library that everyone uses instead of 2 so-so ones.

That's reasonable, but those aren't the options at play here. Not only because GnuTLS is already a thing, but the chances of OpenSSL becoming really really good are questionable.

An OpenBSD guy gave a talk a few weeks back where he said that Heartbleed wasn't the reason for the split, it was the reason for digging into the code and realizing that OpenSSL under current leadership isn't capable of being a really really good option.

https://www.youtube.com/watch?v=GnBbhXBDmwU

lomnakkus12y ago

"just fixing the problems in openssl."

That's what libressl is about. If you're in any doubt, please see this talk: https://www.youtube.com/watch?v=GnBbhXBDmwU

1 more reply

allendoerfer12y ago· 3 in thread

When the missing funding of OpenSSL was discussed, it came up several times, that OpenSSH, while doing great, is quite underfunded, too. I am glad to see them getting some money.

What i can't really comment on myself, but am reading from the OpenBSD guys is, that the OpenSSL team does quite well with FIPS consulting and has no increased interest in improving the library.[0]

Even if those claims are not true, it would be nice to see several other TLS libraries (GnuTLS, LibreSSL etc.) getting sponsored to get some healthy competition. Maybe, they could even directly compete for shares of the funding by the Linux Foundation in some way.

[0]: http://www.openbsd.org/papers/bsdcan14-libressl/mgp00008.htm...

awj12y ago

Straight from the horse's mouth[1]

> Also, the income they earn though their paid consulting work supports their unpaid work on OpenSSL, so by hiring OpenSSL team members you are not only solving your own problems but also helping to ensure the long term viability of the OpenSSL product.

They also on their website list hourly consulting starting at $250/hour. Neither of these describe how much they get out of this, but it seems reasonable to say that the "OpenSSL runs of $2k/year" line is disingenuous at best.

[1] http://www.openssl.org/support/consulting.html

rgbrenner12y ago

"but it seems reasonable to say that the "OpenSSL runs of $2k/year" line is disingenuous at best."

Is it? The last contract listed on that page is 4 years old. Maybe they don't regularly get contracts.

clarry12y ago

Just in case someone missed it, here's video of the libressl talk to go with the linked slide(s). https://www.youtube.com/watch?v=GnBbhXBDmwU

mrweasel12y ago· 3 in thread

I'm actually looking forward to seeing how the OpenSSL problem will deal with their own legacy code, compared to how the OpenBSD developers have handled it.

It seems that own of the only ways of dealing with the OpenSSL code is to strip out the code for a large number of, should we say "less used platforms". Is the OpenSSL developers willing to drop support for 16 bit Windows or OpenVMS?

dfc12y ago

One of my favorite platform removals was support for the Cray T3E, as in the debuted in 1995, Cray Research T3E.[1,2]

  -/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
  -#ifndef BIT_FIELD_LIMITS
          memcpy(&server.sin_addr.s_addr, ip, 4);
  -#else
  -       memcpy(&server.sin_addr, ip, 4);
  -#endif

[^1]: http://freshbsd.org/commit/openbsd/01f41ed5b37037b963c0de2c2...

[^2]: https://en.wikipedia.org/wiki/Cray_T3E

wmf12y ago

Is the OpenSSL developers willing to drop support for 16 bit Windows or OpenVMS?

They either need to properly maintain it or drop it, and they don't have enough money to maintain it.

jimktrains212y ago

I just want to know who's still compiling against 16bit windows or OpenVMS. I know my world view isn't infinite, but those systems seem a bit out there.

2 more replies

adventureloop12y ago· 3 in thread

I skimmed, but cannot seem to see which project is being supported when they say NTP.

When you support the OpenBSD Foundation you support:

- OpenBSD - OpenSSH - OpenBGPD - OpenNTPD - OpenSMTPD - LibreSSL

The wording makes me think that the initiative will be supporting something other than OpenNTPD

dankohn112y ago

They're supporting 4 projects so far: OpenSSL, OpenSSH, NTPd, and an Open Crypto Audit Project (OCAP) audit of OpenSSL. The Network Time Protocol project is here: http://ntp.org/

greglindahl12y ago

ntp has an open-source reference implementation that many Linux distros use. See http://www.ntp.org/

skreuzer12y ago

Don't forget OpenCVS

orik12y ago· 2 in thread

If OpenSSL software foundation is a for profit operation, why are tech companies funding it(1) instead of LibreSSL?

1: http://arstechnica.com/information-technology/2014/04/tech-g....

tytso12y ago

The CII is not funding the OpenSSL Foundation; it is directly funding two OpenSSL developers, so they can work on whatever is best for OpenSSL, instead of whatever feature improvements contracted by the OpenSSL Foundation.

As a result, the people behind the OpenSSL Foundation are NOT taking a cut of the monies from the CII.

pjscott12y ago

The tech companies want OpenSSL to improve, and are willing to pay money; the OpenSSL guys will improve OpenSSL if paid money. What's the problem here?

joealba12y ago· 2 in thread

What about BIND for DNS?

mprovost12y ago

The DNS ecosystem is much more diverse. djbdns is considered to be the most secure, and there are a few other quality implementations. The root servers, for example, run a mixture of BIND and NSD, so no single bug can affect all of them.

noselasd12y ago

bind has had ok funding over the years.

Though, bind 10 hasn't gone as well as planned - that's been other issues than funding though - https://ripe68.ripe.net/presentations/208-The_Decline_and_Fa...

dmix12y ago· 1 in thread

How do code security audits actually work? Are various well-experienced people just combing through the code and trying to break it? Or is there a more formal process?

chrisrohlf12y ago

This depends on a couple of different things. The most important of which is "at what stage of development is the application? (i.e. how mature and well tested is this code)". Software Development Life Cycle (SDLC) processes are great when followed from the start. When they are applied long after the first 100k+ lines of code are written then its harder. A typical code audit for us (I do this professionally at http://leafsr.com) involves some threat modeling, attack surface enumeration, manual data-flow and taint analysis ("where does untrusted data come into this application and how is it handled") and finally just reading the code. Timing and scope will heavily influence how deep you can go. 1 week on OpenSSH will probably get you nothing, 6 weeks on OpenSSL will definitely get you something.

(edit: expanded on what is most important)

tux12y ago· 1 in thread

Having "Huawei" as one of the backers does not create confidance. Recent news shows that they had there hardware backdoored.

https://duckduckgo.com/?kh=1&q=Huawei&sites=www.schneier.com...

vidarh12y ago

How is the NSA's ability to backdoor Huawei hardware relevant for Huawei's ability to provide money to help fund audits?

Presumably, the NSA hacking is a reason for Huawei to start caring a great deal more about investing in security.

dfc12y ago

This is great news. NTP is one of the least appreciated OSS projects. Harlan and the rest of the ntp dev team are very helpful and deserve a lot of respect for keeping the clocks on time. I can only hope that increased ntp funding/awareness/development means that BitKeeper (not a typo) is finally replaced by git/mercurial.

davidgerard12y ago

Just LibreSSL. Let OpenSSL die its deserved death. Portable LibreSSL will do wonders.

j / k navigate · click thread line to collapse

90 comments

54 comments · 11 top-level

kyledrake12y ago· 24 in thread

tptacek12y ago

"Theo's a dick" has nothing to do with why funds are being applied to audit and not to "just have OpenBSD rewrite everything".

marcosdumay12y ago

A security audit may also miss subtle bugs, and the proposed corrections may introduce new bugs.

1 more reply

sigzero12y ago

I would trust Theo's team over the OpenSSL team any day of the week.

2 more replies

InclinedPlane12y ago

simula6712y ago

[1] http://www.youtube.com/watch?v=GnBbhXBDmwU

talideon12y ago

gaadd3312y ago

tedivm12y ago

I don't think it makes sense to leave OpenSSL to wither while that happens, especially since it's an actively used product.

That being said I'm far, far more confident in the OpenBSD team than I am the OpenSSL one.

eliteraspberrie12y ago

Why does everyone have this aversion to giving the OpenBSD team the funding they deserve?

One reason may be that donations to the OpenBSD Foundation are not tax-deductible in the US.

Touche12y ago

pessimizer12y ago

It sounds a bit like voting for a president because he's the guy you feel you'd most enjoy having a beer with: short-sighted.

1 more reply

Florin_Andrei12y ago

> And "Theo's a dick" doesn't qualify as a valid reason to not fund real security development.

Yeah, but people who give money usually tend to see that as a valid reason.

davidgerard12y ago

1 more reply

angersock12y ago

Seems to have worked out for Torvalds and good chunks of the Web ecosystem.

1 more reply

dfc12y ago

Theo's "outspokeness" is believed to be the reason that DARPA canceled a million dollar development grant.

https://en.wikipedia.org/wiki/Theo_de_Raadt#DARPA_funding_ca...

1 more reply

mhurron12y ago

> Just give the money to the OpenBSD team

Unless OpenBSD decides to change, that is the way to fund OpenSSH. Currently you don't get to decide how your donations are spent by them, OpenSSH isn't it's own spinoff funded group.

avar12y ago

Is it possible to give them more granular donations? I want to support OpenSSH and LibreSSL, but I don't cae about OpenBSD.

The reason I don't donate to them is that I feel like most of my donation will be going towards something I don't care about.

protomyth12y ago

1 more reply

rodgerd12y ago

> Why does everyone have this aversion to giving the OpenBSD team the funding they deserve?

Given their work is avowdly OpenBSD-only and portability has to be added on in the case of e.g. OpenSSH it would seem a dead-end for anyone who wants broader platform support.

axman612y ago

I'm not sure why you brought up OpenSSH, since it's by far the most widely used SSh implementation in the world...

1 more reply

protomyth12y ago

Strange characterization given OpenSSH is everywhere so it isn't a dead-end.

lomnakkus12y ago

Maybe I'm misremembering, but SSH wasn't crappy, it was just proprietary. (I'm no fan of proprietary software, but let's at least be honest here.)

protomyth12y ago

you are correct, http://en.wikipedia.org/wiki/OpenSSH

jmdn2812y ago

That reminds me of TrueCrypt and the TrueCrypt Audit Project.

mjibson12y ago· 4 in thread

It is possible the OpenSSH funding, since it is done through the OpenBSD Foundation, could, at the Foundation's discretion, go toward LibreSSL, since it's the same group.

Alupis12y ago

No it's not. Libressl is a different team; one that feels a fork was more appropriate than just fixing the problems in openssl.

clarry12y ago

> No it's not. Libressl is a different team

OpenSSH and LibreSSL are both a part of OpenBSD. So when you donate to the OpenBSD Foundation, you are very much donating to one project.

> one that feels a fork was more appropriate than just fixing the problems in openssl

2 more replies

forgottenpass12y ago

I'd much rather have 1 really really good ssl library that everyone uses instead of 2 so-so ones.

That's reasonable, but those aren't the options at play here. Not only because GnuTLS is already a thing, but the chances of OpenSSL becoming really really good are questionable.

https://www.youtube.com/watch?v=GnBbhXBDmwU

lomnakkus12y ago

"just fixing the problems in openssl."

That's what libressl is about. If you're in any doubt, please see this talk: https://www.youtube.com/watch?v=GnBbhXBDmwU

1 more reply

allendoerfer12y ago· 3 in thread

When the missing funding of OpenSSL was discussed, it came up several times, that OpenSSH, while doing great, is quite underfunded, too. I am glad to see them getting some money.

What i can't really comment on myself, but am reading from the OpenBSD guys is, that the OpenSSL team does quite well with FIPS consulting and has no increased interest in improving the library.[0]

[0]: http://www.openbsd.org/papers/bsdcan14-libressl/mgp00008.htm...

awj12y ago

Straight from the horse's mouth[1]

[1] http://www.openssl.org/support/consulting.html

rgbrenner12y ago

"but it seems reasonable to say that the "OpenSSL runs of $2k/year" line is disingenuous at best."

Is it? The last contract listed on that page is 4 years old. Maybe they don't regularly get contracts.

clarry12y ago

Just in case someone missed it, here's video of the libressl talk to go with the linked slide(s). https://www.youtube.com/watch?v=GnBbhXBDmwU

mrweasel12y ago· 3 in thread

I'm actually looking forward to seeing how the OpenSSL problem will deal with their own legacy code, compared to how the OpenBSD developers have handled it.

dfc12y ago

One of my favorite platform removals was support for the Cray T3E, as in the debuted in 1995, Cray Research T3E.[1,2]

  -/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
  -#ifndef BIT_FIELD_LIMITS
          memcpy(&server.sin_addr.s_addr, ip, 4);
  -#else
  -       memcpy(&server.sin_addr, ip, 4);
  -#endif

[^1]: http://freshbsd.org/commit/openbsd/01f41ed5b37037b963c0de2c2...

[^2]: https://en.wikipedia.org/wiki/Cray_T3E

wmf12y ago

Is the OpenSSL developers willing to drop support for 16 bit Windows or OpenVMS?

They either need to properly maintain it or drop it, and they don't have enough money to maintain it.

jimktrains212y ago

I just want to know who's still compiling against 16bit windows or OpenVMS. I know my world view isn't infinite, but those systems seem a bit out there.

2 more replies

adventureloop12y ago· 3 in thread

I skimmed, but cannot seem to see which project is being supported when they say NTP.

When you support the OpenBSD Foundation you support:

- OpenBSD - OpenSSH - OpenBGPD - OpenNTPD - OpenSMTPD - LibreSSL

The wording makes me think that the initiative will be supporting something other than OpenNTPD

dankohn112y ago

They're supporting 4 projects so far: OpenSSL, OpenSSH, NTPd, and an Open Crypto Audit Project (OCAP) audit of OpenSSL. The Network Time Protocol project is here: http://ntp.org/

greglindahl12y ago

ntp has an open-source reference implementation that many Linux distros use. See http://www.ntp.org/

skreuzer12y ago

Don't forget OpenCVS

orik12y ago· 2 in thread

If OpenSSL software foundation is a for profit operation, why are tech companies funding it(1) instead of LibreSSL?

1: http://arstechnica.com/information-technology/2014/04/tech-g....

tytso12y ago

As a result, the people behind the OpenSSL Foundation are NOT taking a cut of the monies from the CII.

pjscott12y ago

The tech companies want OpenSSL to improve, and are willing to pay money; the OpenSSL guys will improve OpenSSL if paid money. What's the problem here?

joealba12y ago· 2 in thread

What about BIND for DNS?

mprovost12y ago

noselasd12y ago

bind has had ok funding over the years.

Though, bind 10 hasn't gone as well as planned - that's been other issues than funding though - https://ripe68.ripe.net/presentations/208-The_Decline_and_Fa...

dmix12y ago· 1 in thread

How do code security audits actually work? Are various well-experienced people just combing through the code and trying to break it? Or is there a more formal process?

chrisrohlf12y ago

(edit: expanded on what is most important)

tux12y ago· 1 in thread

Having "Huawei" as one of the backers does not create confidance. Recent news shows that they had there hardware backdoored.

https://duckduckgo.com/?kh=1&q=Huawei&sites=www.schneier.com...

vidarh12y ago

How is the NSA's ability to backdoor Huawei hardware relevant for Huawei's ability to provide money to help fund audits?

Presumably, the NSA hacking is a reason for Huawei to start caring a great deal more about investing in security.

dfc12y ago

davidgerard12y ago

Just LibreSSL. Let OpenSSL die its deserved death. Portable LibreSSL will do wonders.

j / k navigate · click thread line to collapse